January 13, 2009
World’s Most Dangerous Coding Errors Revealed
A list of the world's most dangerous coding mistakes was put together with help from the U.S. National Security Agency.
The list contains 25 entry errors that cyber criminals could use to cause serious security breaches in vulnerable areas. And many of these errors are not well understood by programmers, experts said.Just two of the errors resulted in more than 1.5 million web site security breaches during 2008, according to the SANS Institute in Maryland.
Experts believe this may be the first time the industry has reached agreement on the worst things that can creep into software as it is being written.
Over 30 organizations published the document, including the US National Security Agency, the Department of Homeland Security, Microsoft, and Symantec.
Chris Wysopal, chief technology officer with Veracode, said the top 25 list gives developers a minimum set of coding errors that must be eradicated before software is used by customers.
"There appears to be broad agreement on the programming errors. Now it is time to fix them," says SANS director, Mason Brown. "We need to make sure every programmer knows how to write code that is free of the top 25 errors."
He also added that it is important to make sure every programming team has processes in place to find and fix these problems in the existing code and has the tools needed to verify their code is as free of these errors.
"If programmers prevented these errors appearing in their code, it would deter the majority of hackers," said Patrick Lincoln, director of the Computer Science Laboratory at SRI International.
"This list is primarily for people who have first responsibility for designing a system. Veteran programmers have probably learnt the hard way whereas a brand new programmer will be making more basic errors."
He noted that a real dedicated serial attacker would most likely find a way in even if all these errors were removed.
"But a high school hacker with malicious intent - ankle-biters if you will - would be deterred from breaking in."
In the past, programmers have focused on vulnerabilities that can result from programming errors. The top 25 list examines the actual programming errors themselves.
Also supporting the list was the US Office of the Director of National Intelligence, the principal adviser to the President, the National Security Council and the Homeland Security Council.
A statement was released saying: "We believe that integrity of hardware and software products is a critical for cyber security. "
"Creating more secure software is a fundamental aspect of system and network security, given that the federal government and the nation's critical infrastructure depend on commercial products for business operations."
The statement went on to say that the top 25 is an important component of an overall security initiative for our country and it encourage the utility of this tool through other venues such as cyber education.
On the Net:
- U.S. National Security Agency
- SANS Institute
- Department of Homeland Security
- SRI International